Extend proactive token refresh to client_credentials

change/@azure-msal-node-9b01df06-64f9-4f34-8a6b-0bb05ab12f14.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Extend proactive token refresh to client_credentials",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-node/src/client/ClientCredentialClient.ts

@@ -73,14 +73,14 @@ export class ClientCredentialClient extends BaseClient {
     ): Promise<AuthenticationResult | null> {
         const cachedAccessToken = this.readAccessTokenFromCache();
 
+        // must refresh due to non-existent access_token
         if (!cachedAccessToken) {
             this.serverTelemetryManager?.setCacheOutcome(
                 CacheOutcome.NO_CACHED_ACCESS_TOKEN
             );
             return null;
-        }
-
-        if (
+        // must refresh due to the expires_in value
+        } else if (
             TimeUtils.isTokenExpired(
                 cachedAccessToken.expiresOn,
                 this.config.systemOptions.tokenRenewalOffsetSeconds
@@ -89,7 +89,26 @@ export class ClientCredentialClient extends BaseClient {
             this.serverTelemetryManager?.setCacheOutcome(
                 CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED
             );
+
             return null;
+        // the token is not expired, but it must be refreshed due to the refresh_in value
+        } else if (
+            cachedAccessToken.refreshOn &&
+            TimeUtils.isTokenExpired(cachedAccessToken.refreshOn, 0)
+        ) {
+            this.serverTelemetryManager?.setCacheOutcome(
+                CacheOutcome.REFRESH_CACHED_ACCESS_TOKEN
+            );
+
+            this.logger.info(
+                "ClientCredentialClient:getCachedAuthenticationResult - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed."
+            );
+
+            // the token's cache key // will be used to remove the token from the cache if necessary
+            const accessTokenCacheKey = cachedAccessToken.generateCredentialKey();
+
+            // start a background request to get a new token
+            this.executeTokenRequest(request, this.authority, accessTokenCacheKey);
         }
 
         return await ResponseHandler.generateAuthenticationResult(
@@ -138,7 +157,8 @@ export class ClientCredentialClient extends BaseClient {
      */
     private async executeTokenRequest(
         request: CommonClientCredentialRequest,
-        authority: Authority
+        authority: Authority,
+        accessTokenCacheKey?: string,
     ): Promise<AuthenticationResult | null> {
         let serverTokenResponse: ServerAuthorizationTokenResponse;
         let reqTimestamp: number;
@@ -193,6 +213,23 @@ export class ClientCredentialClient extends BaseClient {
                 headers,
                 thumbprint
             );
+
+            // check if a new token is being requested because the cached token needs to be refreshed, not because it's expired
+            if (accessTokenCacheKey) {
+                // check if ESTS is down (status code 429 or 5xx)
+                if ((response.status === 429) || (response.status >= 500)) {
+                    this.logger.warning(
+                        "ClientCredentialClient:executeTokenRequest - AAD is currently unavailable and is unable to refresh the token."
+                    );
+                // ESTS is not down, the cached token is bad and should be removed from the cache
+                } else {
+                    this.logger.error(
+                        "ClientCredentialClient:executeTokenRequest - AAD is currently available but is unable to refresh the token. Returning the unexpired token and removing it from the cache."
+                    );
+                    this.cacheManager.removeAccessToken(accessTokenCacheKey);
+                }
+            }
+
             serverTokenResponse = response.body;
         }
 

lib/msal-node/test/client/ClientCredentialClient.spec.ts

@@ -982,6 +982,88 @@ describe("ClientCredentialClient unit tests", () => {
         expect(authResult.state).toHaveLength(0);
     });
 
+    it("re-acquires a token via a network request, because the cached token's refreshOn value is expired", async () => {
+        sinon
+            .stub(Authority.prototype, <any>"getEndpointMetadataFromNetwork")
+            .resolves(DEFAULT_OPENID_CONFIG_RESPONSE.body);
+        sinon
+            .stub(
+                ClientCredentialClient.prototype,
+                <any>"executePostToTokenEndpoint"
+            )
+            .resolves(CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT);
+
+        const createTokenRequestBodySpy = sinon.spy(
+            ClientCredentialClient.prototype,
+            <any>"createTokenRequestBody"
+        );
+        const client = new ClientCredentialClient(config);
+        const clientCredentialRequest: CommonClientCredentialRequest = {
+            authority: TEST_CONFIG.validAuthority,
+            correlationId: TEST_CONFIG.CORRELATION_ID,
+            scopes: TEST_CONFIG.DEFAULT_GRAPH_SCOPE,
+        };
+
+        const expectedAtEntity: AccessTokenEntity =
+            AccessTokenEntity.createAccessTokenEntity(
+                "",
+                "login.microsoftonline.com",
+                "an_access_token",
+                config.authOptions.clientId,
+                TEST_CONFIG.TENANT,
+                TEST_CONFIG.DEFAULT_GRAPH_SCOPE.toString(),
+                TimeUtils.nowSeconds() + 4600,
+                TimeUtils.nowSeconds() + 4600,
+                mockCrypto,
+                TimeUtils.nowSeconds() - 4600, // refreshOn
+                AuthenticationScheme.BEARER
+            );
+        console.log(expectedAtEntity);
+
+        sinon
+            .stub(
+                ClientCredentialClient.prototype,
+                <any>"readAccessTokenFromCache"
+            )
+            .returns(expectedAtEntity);
+
+        const authResult = (await client.acquireToken(
+            clientCredentialRequest
+        )) as AuthenticationResult;
+        const expectedScopes = [TEST_CONFIG.DEFAULT_GRAPH_SCOPE[0]];
+        expect(authResult.fromCache).toBe(false);
+        expect(authResult.scopes).toEqual(expectedScopes);
+        expect(authResult.accessToken).toEqual(
+            CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
+        );
+        expect(authResult.state).toHaveLength(0);
+
+        expect(
+            createTokenRequestBodySpy.calledWith(clientCredentialRequest)
+        ).toBe(true);
+
+        const returnVal = (await createTokenRequestBodySpy
+            .returnValues[0]) as string;
+        expect(
+            returnVal.includes(`${TEST_CONFIG.DEFAULT_GRAPH_SCOPE[0]}`)
+        ).toBe(true);
+        expect(
+            returnVal.includes(
+                `${AADServerParamKeys.CLIENT_ID}=${TEST_CONFIG.MSAL_CLIENT_ID}`
+            )
+        ).toBe(true);
+        expect(
+            returnVal.includes(
+                `${AADServerParamKeys.GRANT_TYPE}=${GrantType.CLIENT_CREDENTIALS_GRANT}`
+            )
+        ).toBe(true);
+        expect(
+            returnVal.includes(
+                `${AADServerParamKeys.CLIENT_SECRET}=${TEST_CONFIG.MSAL_CLIENT_SECRET}`
+            )
+        ).toBe(true);
+    });
+
     it("acquires a token, skipCache = true", async () => {
         sinon
             .stub(Authority.prototype, <any>"getEndpointMetadataFromNetwork")